Senators press DHS head for details on cybersecurity plans

Congress feels cut out of the National Cybersecurity Initiative, and a pair of …

Members of the Senate say they're only too happy to back the Department of Homeland Security's Comprehensive National Cybersecurity Inititative (CNCI), to the tune of some $200 million in new funds for the department's National Cyber Security Division. But if it isn't too much trouble, would somebody kindly explain to Congress exactly what it will do?

In a letter sent to Homeland Security Secretary Michael Chertoff late last week, Senators Joe Lieberman (I-CT) and Susan Collins (R-ME) expressed "concerns about how information has been shared with Congress," suggesting that a "lack of collaboration" could hinder the ambitious new plan to guard American electronic networks against foreign attack. They noted, for instance, that DHS had recently announced the appointment of tech entrepreneur Rod Beckström to head its National Cyber Security Center, after telling Congress that the Center's very existence was classified. They also complained that DHS did not appear to have implemented Government Accountability Office recommendations enjoning the development of clearer guidelines to establish the responsibilities of independent contractors.

The broad array of unanswered questions posed in the letter suggest the extent to which Congess has been cut out of the loop. What information about the initiative is classified, and what may be publicly debated? What is the role of the NCSC, and under what legal authority was Beckström appointed? What metrics will be used to determine whether the initiative is succeeding in its goals? Have private sector firms and security experts been consulted, and if not, shouldn't they be? What are the privacy and civil liberties implications of the plan, and in particular the EINSTEIN traffic analysis program, which is meant to act as an early warning system for electronic attacks?

The CNCI was authorized under a classified directive signed by President George W Bush in January. The most detailed public description to date of what it entails was given by Secretary Chertoff in his keynote address at last month's RSA Conference, during which, in a Hollywood-worthy soundbite, he described it as a "Manhattan Project to defend cyber networks." Even then, however, Chertoff said a fair amount about the potential threat of digital attacks, comparing them to 9/11 in potential magnitude, and significantly less about the specifics of the plan to prevent them. At minimum, it will involve a more coordinated, less ad hoc effort to secure federal networks, and a drastic reduction in the number of gateways between those networks and the outside world. Chertoff also spoke in vague terms of voluntary partnerships with private network operators, acknowledging that securing any part of an interdependent, interconnected network ultimately required securing the network as a whole. He promised, however, that this would not entail the government "sitting on the network" to filter what enters and exits.